Category: Articles

The organizational structure of an IT department is usually the result of a series of changes, trials, experiments and political manipulations. It is often adjusted to suit or accommodate individuals. As a result, the organization is sometimes cumbersome and the cause of problems, inefficiency, and excess cost. The process described herein has been developed from experience gained by participating in numerous efforts to redesign and transform IT organizations.

Step 1: Select the Standards
The primary objective is to deliver value to stakeholders from IT-enabled investments. The organizational design should follow standards and good practices so that the resulting design is easy to defend and noncontroversial. Start by selecting from the following set of frameworks, standards, and good practices:

COBIT 5—Ensures that all aspects of IT are covered in terms of processes as well as tasks. COBIT 5 also provides the structure needed to ensure that alignment exists from stakeholder requirements through the enterprise and IT-related goals to all enablers.

Skills Framework for the Information Age (SFIA V6)—Ensures that all skills that are required have been included and are reflected in the design of job descriptions

ISO/IEC 38500:2015—Covers the IT governance aspects in detail

ISO/IEC 20000:2011—Covers the service management aspects in detail

ISO/IEC 27001:2013—Covers the information security aspects in detail

Some organizations may prefer to add more standards, good practices or local regulations, codes or laws. One of the very helpful codes in this regard is King III (soon to be King IV), which is the corporate governance code from South Africa. It can be used anywhere to design a robust IT governance system. Of the 5 previously listed frameworks, standards and good practices, the first 2 cannot be neglected. Senior management may decide not to consider the remaining 3.

Step 2: The First Iteration
The first iteration of the functional organization comes straight from COBIT 5 and consists of the following functional elements:

Board of directors (BoD)

Strategy executive committee of the BoD

Steering committee (reporting to the chief executive officer [CEO])

CEO

Chief information officer (CIO)

Evaluate, Direct and Monitor (EDM) domain

Align, Plan and Organize (APO) domain

Build, Acquire and Implement (BAI) domain

Deliver, Service and Support (DSS) domain

Monitor, Evaluate and Assess (MEA) domain

The accountabilities and responsibilities of these are listed in the various responsible, accountable, consulted and informed (RACI) charts in COBIT 5: Enabling Processes. The accountabilities and responsibilities of the BoD, the strategy committee, the steering committee and all the chief officers (CxOs) can be compiled at this stage from the various RACI charts. The “Activities” listed under the respective processes in the EDM domain spell out the activities in which these entities have to be involved. SFIA V6 can then be used to ensure that all skills needed by these entities have been accounted for and are possessed by various stakeholders. At the conclusion of this step, the accountabilities, responsibilities, and activities of the BoD, the strategy committee, the steering committee and the CxOs have been decided and documented.

Step 3: Design the APO, BAI and DSS Sections
The APO, BAI and DSS domains consists of many subdomains (called processes in COBIT 5). These COBIT 5 processes may need to be grouped to reduce the number of sections and, therefore, the head count. However, in large organizations, each process may be a section by itself. The following are just logical suggestions for possible groupings:

APO01 and APO02 may be combined to form a section titled “IT Strategy.”

BAI08, BAI09 and BAI10 go under the “Asset and Configuration Management” section.

DSS01 forms the very important “IT Operations” section.

DSS02 and DSS03 combine in the “Incident and Problem Management” section.

DSS04 becomes the “Continuity Management” section.

DSS05 becomes the “IT Security” (not “Information Security”) section.

DSS06 forms the “Controls Management” section.

In small IT organizations, these processes may be combined further, taking care that some segregation is maintained and all listed activities and all related metrics have been assigned.

Step 4: Design the MEA Section
Medium-sized and large IT setups should preferably have an IT assurance section that ensures that IT governance is being done within the IT setup. It should coordinate with internal audit in the planning and conduct of technology audits. It should also coordinate with the corporate compliance department in the planning, implementation and monitoring of laws, codes, standards and good practices.In small IT shops, the MEA section can be either part of internal audit or split between internal audit and corporate compliance.However, in any case, the activities and the related metrics need to be assigned completely.

Step 5: Design the Job Descriptions
Having designed the organization structure, it is necessary to design the respective job descriptions. Job descriptions can be created as a combination of the activities and the related metrics given by COBIT 5 and the activities listed in SFIA V6. The following has to be ensured to finalize the job descriptions:

All activities in COBIT 5 have been assigned.

All related metrics in COBIT 5 have been assigned.

All skills at all levels of responsibility listed in SFIA V6 have been assigned.

Any activities, related metrics and skills (at any level of responsibility) that have not been assigned should be listed and their nonassignment justified.

Step 6: Revise the IT Processes
The job descriptions should be synchronized with the IT processes. Therefore, it is necessary that all IT processes are reviewed and the responsibilities therein reassigned to conform to the new job descriptions. IT organization design and maintenance is best done using proper tools. The capabilities required include:

Process management

Enterprise architecture

Risk management

Many governance, risk management and compliance (GRC) tools have been assessed and analyzed from the perspective of using them for organization design. A GRC tool that has strong process management capabilities integrated with risk management and enterprise architecture is a must. It is ideal if, in addition, that suite of tools supports a maturity assessment.

The 6-step process described in this article has been used in designing the organization structures in many organizations, big and small, and it works. The activity may take weeks in large organizations and can be as short as a week in small ones. In using this methodology, there is a need for synchronization between the activities listed in COBIT 5 and the skills described in SFIA V6 at different levels of responsibility.Any reorganization deals directly with humans and there is a human factor that may, at times, oppose the recommendations of this methodology. This factor needs to be considered only to the extent that it does not interfere with the requirements of segregation of duties.The final recommendation is that the organization design be done as per theory and then fine-tuned to accommodate the politics.

IT Governance covers the culture, organization, policies and practices that provide this kind of oversight and transparency of IT – IT Governance is part of a wider Corporate Governance activity but with its own specific focus. The benefits of good IT risk management, oversight, and clear communication not only reduce the cost and damage caused by IT failures – but also engenders greater trust, teamwork and confidence in the use of IT itself and the people trusted with IT services. IT Governance has become very topical for a number of reason:

IT has a pivotal role to play in improving corporate governance practices.

Management’s awareness of IT related risks has increased.

There is a focus on IT costs in all organizations.

There is a growing realization that more management commitment is needed to improve the management and control of IT activities.

Reference:

IT Governance Developing a successful governance strategy A Best Practice guide for decision makers in IT